Products

Pricing

Test Library

Solutions

Resources

See docs

Start free

Test Library

JWT authentication bypass via jku header injection

Since Host server is using the JKU field of the JWT without validating, attacker can tamper with the payload of JWT and access protected resources.

Broken User Authentication (BUA)

"The endpoint appears to be vulnerable to broken authentication attack.The original request was replayed by adding the JKU parameter value to the header of JWT and signing with Akto's key. The server responded with 2XX success codes. This indicates that this endpoint can be accessed with a tampered JWT.<br>" "<b>Background:</b> The JSON Web Signature specification defines the optional \"jku\" header, which contains a URL pointing to a set of keys used by the server to digitally sign the JWT. This parameter is particularly useful for servers that are configured to use multiple different keys because it can help to determine which key to use when verifying the signature. If the target application implicitly trusts this header, it may verify the signature using an arbitrary public key obtained from the provided URL, essentially relying on data that can be tampered with client-side. A malicious user could insert or modify a \"jku\" header so that it points to an external server containing a JSON Web Key Set that they've generated themselves. They could then re-sign the token using the matching private key and check whether the server still accepts it."

"The endpoint appears to be vulnerable to broken authentication attack.The original request was replayed by adding the JKU parameter value to the header of JWT and signing with Akto's key. The server responded with 2XX success codes. This indicates that this endpoint can be accessed with a tampered JWT.<br>" "<b>Background:</b> The JSON Web Signature specification defines the optional \"jku\" header, which contains a URL pointing to a set of keys used by the server to digitally sign the JWT. This parameter is particularly useful for servers that are configured to use multiple different keys because it can help to determine which key to use when verifying the signature. If the target application implicitly trusts this header, it may verify the signature using an arbitrary public key obtained from the provided URL, essentially relying on data that can be tampered with client-side. A malicious user could insert or modify a \"jku\" header so that it points to an external server containing a JSON Web Key Set that they've generated themselves. They could then re-sign the token using the matching private key and check whether the server still accepts it."

Impact of the vulnerability

Impact of the vulnerability

"Using this vulnerability an attacker can do a full account takeover. <br><br>" "They can also exploit this vulnerability by supplying an arbitrary claim in the JWT payload to escalate their privileges or impersonate other users. For example, if the token contains a \"username\": \"joe\" claim, they could change this to \"username\": \"admin\"."

"Using this vulnerability an attacker can do a full account takeover. <br><br>" "They can also exploit this vulnerability by supplying an arbitrary claim in the JWT payload to escalate their privileges or impersonate other users. For example, if the token contains a \"username\": \"joe\" claim, they could change this to \"username\": \"admin\"."

How this template works

APIs Selection

The template uses API selection filters to specify the criteria for selecting the requests to be executed. In this case, the template filters requests based on the response code, ensuring that it is greater than or equal to 200 and less than 300. It also filters requests based on the presence of a JWT in the request headers.

Execute request

The template uses the "single" type of execution, which means that only one request will be executed. The request is specified under the "requests" section. In this case, the template replaces the authentication header with the value of the "jku_added_token" from the authentication context.

Validation

After executing the request, the template validates the response code to ensure it is within the expected range of 200 to 300. This is done using the "response_code" validation rule, which checks that the response code is greater than or equal to 200 and less than 300.

Frequently asked questions

What is the purpose of the "JKU" header in a JSON Web Token (JWT)

How does the vulnerability in the "ADD_JKU_TO_JWT" category impact the application

Can you explain how an attacker can exploit the vulnerability by tampering with the JWT payload

What are the potential consequences of a successful exploitation of this vulnerability

Are there any specific security measures recommended to mitigate this vulnerability

Are there any known real-world examples or references related to this vulnerability

Loved by security teams!

Loved by security teams!

Product Hunt Badge

"We are absolutely thrilled with the testing feature of Akto. We have used it on our graphQL endpoints and it performs flawlessly identifying common API security issues. It's truly a game-changer and we highly recommend Akto to anyone looking to effortlessly secure their API endpoints. With a user-friendly interface, it's the perfect solution for anyone looking to embrace custom rules with context to reduce false positives."

Security team,

Loom

"We are absolutely thrilled with the testing feature of Akto. We have used it on our graphQL endpoints and it performs flawlessly identifying common API security issues. It's truly a game-changer and we highly recommend Akto to anyone looking to effortlessly secure their API endpoints. With a user-friendly interface, it's the perfect solution for anyone looking to embrace custom rules with context to reduce false positives."

Security team,

Loom

"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "

Security team,

Rippling

Explore other tests

CSRF Login attack

JWT Failed to verify Signature

JWT None Algorithm

Broken Authentication by removing auth token

CSRF test by removing csrf token

CSRF test by replacing with invalid csrf token

Learn more:

API security tests

5 min read

How to test JWT NONE Algorithm vulnerability?

OWASP top 10

10 min read

What's changed in OWASP API Security Top 10 2023 Release Candidate from 2019?

Suggest API security tests

Suggest API security tests

We're actively building the test library. Suggest a test! If we like your suggestion, you will see it in the library in few days.

We're actively building the test library. Suggest a test! If we like your suggestion, you will see it in the library in few days.